Tag Archives: central syslog

Setup centralised Syslog server

Server

Open access in UFW firewall port 514 tcp/udp:
ufw allow from 192.168.122.0/27 port 514

mkdir /var/log/rsyslog
chown root:adm /var/log/rsyslog

The following code in 90-rsyslog.conf should be placed before the “*.info;mail.none;authpriv.none;cron.none /var/log/syslog” entry which is done using directive $IncludeConfig /etc/rsyslog.d/*.conf in /etc/rsyslog.conf.
Be sure you replace server-name below with the name of your central logging server.

/etc/rsyslog.d/90-rsyslog.conf

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

# log each machine to own rsyslog directory
$template TmplAuth, "/var/log/rsyslog/%HOSTNAME%/%PROGRAMNAME%.log"
$template TmplMsg, "/var/log/rsyslog/%HOSTNAME%/%PROGRAMNAME%.log"
  authpriv.*   ?TmplAuth
  *.info,mail.none,authpriv.none,cron.none   ?TmplMsg

if ($hostname != 'server-name') then TmplAuth
if ($hostname != 'server-name') then TmplMsg

& ~

Comment out end of file to disable error message about missing xconsole and add mail.none not to log Postfix messages to /var/log/syslog.

/etc/rsyslog.conf

# daemon.*;mail.*;\
# news.err;\
# *.=debug;*.=info;\
# *.=notice;*.=warn |/dev/xconsole

*.*;auth,authpriv.none;mail.none    -/var/log/syslog

Verify rsyslog configuration:
rsyslogd -f /etc/rsyslog.conf -N9
You should receive message below otherwise check your log for error messages.

rsyslogd: End of config validation run. Bye.

Restart rsyslog daemon:
service rsyslog restart

/etc/logrotate.d/rsyslog

#insert right after first line
/var/log/syslog
#to rotate logs from remote syslog
/var/log/rsyslog/*/*.log

Client

Add following line at end of the file.
/etc/rsyslog.conf

*.*   @home-server:514

service rsyslog restart

List of clients

home-switch
home-receiver
faix-receiver